Bring Your Own Key
Using Bring Your Own Key, users with the Key Management Editor role can use the Auth0 Management API to replace the default Auth0 Environment Root Key with their own Customer provided Root Key. Customers can securely upload their own Root Key which contains their own cryptographic material to:- Meet custom key generation and provenance requirements for the Environment Root Key
- Meet specific key installation or lifespan requirements for the Environment Root Key
- Keep a copy of the Customer Provided Root Key on customer premises.
By importing your own Customer Provided Root Key with Bring Your Own Key, you are implicitly deauthorizing Auth0 from managing the lifecycle of the Customer Provided Root Key, except for its deletion.
-
Call the Create the new encryption key endpoint to initiate the Bring Your Own Key process and obtain the
kid(key identifier) of the pre-activated Customer Provided Root Key without cryptographic material.This endpoint returns the kid value which is the key’s unique identifier. - Call the Create the public wrapping key endpoint to create and return a public wrapping key.
- In your environment, generate your own cryptographic key material and wrap (encrypt) it with the public wrapping key to create a Wrapped Encryption Key (the Customer Provided Root Key).
- Call the Import the encryption key endpoint to import your Customer Provided Root Key to Auth0.
Cryptographic material requirements
Use your key management system to wrap your own cryptographic material with the public wrapping key and create the Wrapped Encryption Key. Use these settings for the CKM_RSA_AES_KEY_WRAP algorithm parameters based on your Auth0 Cloud Service Provider (AWS or Azure):Auth0 on AWS cloud
- Public wrapping key length: 3072 bits
- Algorithm: CKG_MGF1_SHA256
- Temporary AES key length for CKM_AES_KEY_WRAP_PAD: 256 bits
- Customer provided root key type: 256 bits long AES symmetric key
Auth0 on Azure cloud
- Public wrapping key length: 2048 bits
- Algorithm: CKG_MGF1_SHA-1
- Temporary AES key length for CKM_AES_KEY_WRAP_PAD: 256 bits
- Customer Provided Root Key type: 2048 bits long RSA private key
- Private key encoding: PKCS #8 - ASN.1 DER
Permissions
Use the following permissions to provide access to the encryption keys endpoints.| Permissions | Descriptions |
|---|---|
read:encryption_keys | Users can search and retrieve keys in the Auth0 tenant. This includes reading from the /api/v2/keys/encryption, /api/v2/keys/encryption/ endpoints. |
create:encryption_keys | Users can create their own Customer Provided Root Key and Public wrapping key through the /api/v2/keys/encryption and /api/v2/keys/encryption//wrapping-key endpoints. |
delete:encryption_keys | Users can delete their own Customer Provided Root Key through the
/api/v2/keys/encryption/ endpoint. |
update:encryption_keys | Users can import their own Customer Provided Root Key through the
/api/v2/keys/encryption/ endpoint. |
Endpoints
- Use the Get all encryption keys endpoint to retrieve information about the existing current Environment Root Key or Customer Provided Root Key, and Tenant Master Key.
- Use the Get the encryption key by its key id endpoint to retrieve information about the specified key.
- Use the Create the new encryption key endpoint to create a pre-activated Customer Provided Root Key placeholder.
- Use the Create the public wrapping key endpoint to retrieve a Public Wrapping key to wrap your cryptographic material.
- Use the Import the encryption key endpoint to import a new Customer Provided Root Key material.
- Use the Delete the encryption key by its key id endpoint to delete an existing Customer Provided Root Key and opt out of using Bring Your Own Keys. The Auth0 Environment Root Key is used to re-encrypt the key hierarchy. This operation does not negatively impact existing data and authentication flows.
If the Customer Managed Keys feature is not enabled in your tenant, calling the API endpoint(s) will return the error:
This feature is not enabled for this tenant.